kerberos setup, basic questions

[Julius <commercials@gmx.net>]

Hi,

i would like to use nfs4 with kerberos (nfs4 is tested here), ive read
the documentation on the homepage and these two howtos:

http://www.linuxfromscratch.org/hints/downloads/files/heimdal.txt
https://help.ubuntu.com/community/NFSv4Howto


Some general questions:

1.
kadmin -l 
add --random-key host/belgarath.lfs.org

what does "host" mean in this case? the ubuntu howto uses nfs instead.


2.
The parameter encrypt in krb5.conf - isnt kerberos all about secure
authentication, why even allow the possibility to transfer something not
encrypted?


3.
ive added the principle progger to the kerberos database, if i now run
mount /tmp/somedir (/tmp/somedir is added in /etc/fstab with options
sec=krb5,users) as user progger mount times out.



the gss module is loaded on the client:
lsmod|grep rpc
rpcsec_gss_krb5         8464  1 
auth_rpcgss            46496  3 rpcsec_gss_krb5,nfsd
sunrpc                195592  16
rpcsec_gss_krb5,nfs,nfsd,lockd,nfs_acl,auth_rpcgss


and the server:
lsmod|grep rpc
rpcsec_gss_krb5         8464  0 
auth_rpcgss            46496  2 rpcsec_gss_krb5,nfsd
sunrpc                195592  204
rpcsec_gss_krb5,nfsd,lockd,nfs_acl,auth_rpcgss


dns and reverse dns lookups work for both machines

any ideas?




configuration:

client and server:
/etc/krb5.conf
[libdefaults]
        default_realm = LOCALDOMAIN.DE
        encrypt = true
     [realms]
             LOCALDOMAIN.DE = {
                     kdc = olli-keller.localdomain.de
             }
     [domain_realm]
             .my.domain = LOCALDOMAIN.DE


kinit progger works from the client and server.













btw, the 1.0 manual says to create 
/var/heimdal

but heimdal 1.0.1 tries to create its database in:
/var/lib/heimdal/